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Abstract. We consider the dihedral hidden subgroup problem as the 
problem of distinguishing hidden subgroup states. We show that the 
optimal measurement for solving this problem is the so-called pretty 
good measurement. We then prove that the success probability of this 
measurement exhibits a sharp threshold as a function of the density 
V = A:/ log2 A'^, where k is the number of copies of the hidden subgroup 
state and 2N is the order of the dihedral group. In particular, for 
v < 1 the optimal measurement (and hence any measurement) identifies 
the hidden subgroup with a probability that is exponentially small in 
log A'^, while for v > 1 the optimal measurement identifies the hidden 
subgroup with a probability of order unity. Thus the dihedral group 
provides an example of a group Q for which r2(log \Q\) hidden subgroup 
states are necessary to solve the hidden subgroup problem. We also 
consider the optimal measurement for determining a single bit of the 
answer, and show that it exhibits the same threshold. Finally, we con- 
sider implementing the optimal measurement by a quantum circuit, and 
thereby establish further connections between the dihedral hidden sub- 
group problem and average case subset sum problems. In particular, 
we show that an efficient quantum algorithm for a restricted version of 
the optimal measurement would imply an efficient quantum algorithm 
for the subset sum problem, and conversely, that the ability to quantum 
sample from subset sum solutions allows one to implement the optimal 
measurement. 



1. Introduction 

Quantum computers promise to solve certain problems asymptotically 
faster than their classical counterparts. In particular, Shor's discovery of an 
efficient quantum algorithm for factoring [32] — a cryptographically signifi- 
cant task for which no efficient classical algorithm is known — has motivated 
considerable investigation into the potential algorithmic uses of quantum 
computers. Along with its predecessors pilSlinillH]. Shor's algorithm can be 
viewed as a solution to one of a large class of problems known as hidden sub- 
group problems [lll28j . several of which also have applications to interesting 
computational problems for which no efficient classical algorithm is known. 
Thus the broader question arises: under what circumstances can the hidden 
subgroup problem (HSP) be solved efficiently by a quantum computer? 

Encouragingly, the quantum query complexity of the general HSP is poly- 
nomial: for any group Q, only poly (log |^|) quantum queries of the function 
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that hides a subgroup are sufficient to solve the problem P^HT^ OH]. Thus 
lower bounds showing that the HSP is intractable are unlikely to be forth- 
coming. However, the processing of the queries could take exponential time, 
so it remains a challenge to find algorithms that are efficient in terms of the 
number of elementary operations. 

Following Shor's discovery, there has been considerable progress in show- 
ing that quantum computers can efficiently solve the HSP for particular 
groups and particular kinds of subgroups (4 n1 7li2nH2lll29ll3nrS.S , 36...4.S) (al- 
though there is also evidence that some hidden subgroup problems may be 
hard even for quantum computers |321l37ll^ l. However, for many hidden 
subgroup problems, the speedup offered by quantum computers (if any) re- 
mains unknown. In particular, no efficient quantum algorithm is known 
for two cases whose applications are of particular interest, the symmetric 
group and the dihedral group. For the former, an efficient quantum al- 
gorithm could be used to efficiently solve the graph isomorphism problem 
pilHll2ll27j . while for the latter, an efficient quantum algorithm could be used 
to efficiently solve certain cryptographically significant lattice problems 0J . 
Recent progress on the dihedral HSP has been particularly encouraging: Ku- 
perberg gave an algorithm using subexponential (but superpolynomial) time 
and space [H^, and Regev improved this algorithm to use a similar amount 
of time but only polynomial space j40j . 

In this paper we concentrate on the dihedral hidden subgroup problem. In 
particular, we study the optimal measurement for solving this problem given 
samples of certain quantum states we call hidden subgroup states. We find 
that the success probability of the optimal measurement exhibits a sharp 
threshold as a function of k, the number of copies of the hidden subgroup 
state. For the dihedral group of order 2N, let k = vlogN, where is the 
density. (The logarithms in this article are always base 2.) For any fixed 
density v > 1, the optimal measurement identifies the hidden subgroup 
with constant probability, and therefore an efficient quantum circuit for 
implementing this measurement would solve the dihedral hidden subgroup 
problem. (This can be compared to previous results showing that a success 
probability of 1 — 1/ 2 can be achieved with u > 89 jl5j , and that a success 
probability of l/poly(log A^) can be achieved with v > 1 0^.) However, for 
any fixed u < 1, the success probability of the optimal measurement (and 
hence of any measurement) is exponentially small in logA^. This bound 
shows that r2(log \ Q\) hidden subgroup states are in fact necessary to solve 
the dihedral HSP. To the best of our knowledge this is the first time more 
than a constant number of copies of the hidden subgroup state have been 
shown to be necessary for any hidden subgroup problem. 

In addition to studying the success probability of the optimal measure- 
ment, we also establish further connections between the dihedral hidden sub- 
group problem and average-case subset sum problems of density z^. Regev 
showed that the dihedral HSP can be solved efficiently if one can efficiently 
solve average case subset sum problems with v > 1 |41j . We show that the 
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optimal measurement for k = u log copies can be implemented if one can 
quantum sample from subset sum solutions at density v, and conversely, 
that an implementation of the optimal measurement (of a certain restricted 
form) by a quantum circuit can be used to solve the average case subset sum 
problem. 

Our results can be compared to those of Ip showing that Shor's algo- 
rithm is an optimal solution to the abelian hidden subgroup problem |3nj . 
In light of this observation, it is natural to consider the optimal measure- 
ment for other hidden subgroup problems as an approach to finding efficient 
algorithms. Our results show that if such an algorithm is efficient for the di- 
hedral HSP, then one should focus on finding an efficient quantum algorithm 
for the average case subset sum problem with v > 1 (or on implementing 
the measurement by a quantum circuit not of the restricted form that could 
be used to solve subset sum). 

This paper is organized as follows. In Section [3 we review the hid- 
den subgroup problem in general, and in Section |21 we review the dihedral 
hidden subgroup problem in particular. We present the optimal measure- 
ment for the dihedral HSP in Section 0] and establish bounds on its success 
probability in Section [51 In Section |21 we show that the bounds of Sec- 
tion |21 are significantly stronger than those one obtains from straightforward 
information-theoretic arguments. Then, in Section [3 we show that the 
problem of determining just the least significant bit of the answer requires 
essentially as many copies of the hidden subgroup state as are required to 
obtain the entire answer. In Section |H1 we establish connections between 
the optimal measurement for the dihedral HSP and the subset sum prob- 
lem. Finally, we conclude in Section IHl with a discussion of the results and 
some open problems. 

2. The hidden subgroup problem 

We begin by reviewing the hidden subgroup problem. Let ^ be a finite 
group of order \Q\. We assume that the elements of this group can be 
efficiently represented as strings of poly(log|^|) bits. Consider a function 
f : Q ^ S where S is some finite set whose elements can also be efficiently 
represented as strings of poly(log \Q\) bits. In the HSP, we are given such a 
function and promised that it is constant and distinct on left cosets of some 
subgroup 7i < Q. In other words, f{gi) = f{g2) if and only if gi and 52 
are in the same left coset of 7i. The hidden subgroup problem is, given the 
ability to query the function /, to produce a generating set for the subgroup 

n. 

In the quantum version of the HSP we are given a unitary operator Uf 
that computes the function /. Explicitly, this quantum oracle acts as 

(1) Uf ■.\g,y) ^\g,y(B f{g)) 

for all g & G and y G S, where © is the bitwise exclusive or operation. If we 
input the basis state \g, 0) into this oracle, it simply evaluates the function: 
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Uf\g, 0) = \g, f{g))- Our goal is to use this black box to find generators of 
the hidden subgroup in a time polynomial in log \ Q\. 

In the standard approach to solving the hidden subgroup problem with a 
quantum computer (used by all known quantum algorithms for the HSP), 
one inputs a superposition over all group elements into the first register and 
|0) into the second register, giving 



Suppose we now discard the second register. Due to the promise on /, the 
state of the first register is then a mixed state whose form depends on the 
hidden subgroup Ti, 



' ' g&fC 

where /C C ^ is a complete set of left coset representatives oiTi in Q (of size 
|/C| = |^|/|'H|), and where we have defined the coset states 



We will call p?^ the hidden subgroup state corresponding to the subgroup 7i. 

Early quantum algorithms, including Deutsch's algorithm [^, the Deutsch- 
Jozsa algorithm jSj, the Bernstein- Vazirani algorithm [^j, Simon's algorithm 
[46j . and Shor's algorithm HSI, all solve examples of the abelian HSP but 
were not originally described in this language. The formulation in terms of 
a hidden subgroup was presented by Boneh and Lipton |^, who also noted 
the connection between the HSP over the symmetric group and the graph 
isomorphism problem. 

The HSP over arbitrary finite abelian groups has an efficient quantum 
algorithm [Il l23l0^l451l46j . Hallgren, Russell, and Ta-Shma proved that 
the HSP has an efficient quantum algorithm whenever the subgroup TC is 
promised to be normal and there is an efficient quantum Fourier transform 
over the group Q [2^. Grigni, Schulman, Vazirani, and Vazirani showed that 
the HSP over "almost abelian" groups has an efficient quantum solution , 
and this result was extended by Gavinsky to "near-Hamiltonian" groups 
j2Uj . Piischel, Rotteler, and Beth gave an efficient quantum algorithm for 
the HSP over the wreath product I Z2 , and Priedl et al. showed how 
to solve the HSP over a semidirect product Z^j. x Z2 for a fixed prime power 

Moore, Rockmore, Russell, and Schulman gave an efficient quantum 
algorithm for the HSP over certain semidirect product groups, the g-hedral 
groups IHEj) and Inui and Le Gall gave a solution for semidirect product 
groups of the form Z^fc x Zp with p an odd prime |29l . 

Finally, as mentioned in the introduction, there is also a body of knowl- 
edge about the query complexity of the HSP. In particular, Ettinger, H0yer, 
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and Knill have shown that 0(log|^|) quantum queries of the function / 
are sufficient to determine the hidden subgroup 13J. Unfortunately, the 
quantum algorithm they present requires time 0(|^|). 

3. The dihedral hidden subgroup problem 

The dihedral group of order 2N , denoted Ptvj is the group of symmetries 
of a regular A^-sided polygon. This group is generated by two elements r 
and s satisfying the relations = e, = e, and rsr = , where e is 
the identity element. Here s corresponds to a rotation of the polygon and 
r corresponds to a reflection. A generic element of the dihedral group can 
be written as r^s^ where t S Z2 and s ^ Tjjm, and group multiplication is 
given by r* s'^ r^s^ = r*"*"* s'^+(^^) . (Throughout this article we write Z^r 
to denote Z/NZ.) 

The dihedral hidden subgroup problem (DHSP) was first considered by 
Ettinger and H0yer They showed that given 0{logN) queries to the 
hidden subgroup oracle for the dihedral group, there exists a quantum al- 
gorithm whose output contains enough classical information to solve the 
DHSP, and therefore that the query complexity of the DHSP is O(logA^). 
Unfortunately, they were not able to find an efficient algorithm to process 
the output, so this approach has not yet led to an efficient algorithm for the 
DHSP. 

A major motivation for attempting to solve the DHSP is a connection 
to lattice problems discovered by Regev il . A d-dimensional lattice is 
the set of all integer linear combinations of d linearly independent vectors 
in that form a basis for the lattice. In the shortest vector problem, one 
attempts to find the shortest (nonzero) vector in the lattice given a basis. In 
particular, in the g{d) unique shortest vector problem, we are promised that 
the shortest vector is unique and shorter than all other non-parallel vector by 
a factor g{d). The presumed hardness of certain g{d) unique shortest vector 
problems is the basis for a cryptosystem proposed by Ajtai and Dwork (in 
which g{d) = 0{d^)) P, and a subsequent improvement proposed by Regev 
(in which g{d) = 0{d^'^)) [32j. Regev showed that an efficient quantum 
algorithm for the DHSP that works by sampling hidden subgroup states can 
be used to solve the poly((i) unique shortest vector problem ^ll, thereby 
breaking the proposed lattice cryptosystems. 

Regev also gave a promising path toward solving the DHSP in the form 
of a connection to the subset sum problem. In the subset sum problem, one 
is given k numbers between and — 1, denoted x E Z^, and a target 
t G Zjv, and the goal is to find a subset of the k numbers, specified by a 
binary vector b G Z^, such that b-x = t, where b - x := Yl'j=i ^j^j mod N. If 
such a subset exists, then we call {x,t) a legal subset sum input. Regev has 
shown that if one can efficiently solve l/poly(log A^) of the legal subset sum 
inputs (with k > log + 4) then there is an efficient quantum algorithm 
for the DHSP |41j . While the general subset sum problem is NP-hard, note 
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that an algorithm for average-case inputs with k > log + 4 a fixed function 
of N would be sufficient to solve the DHSP. 

The first subexponential time quantum algorithm for the DHSP was given 
by Kuperberg, who showed how to solve it in 2'^(v^^°s^) time, space, and 
queries Regev reduced the space requirement to poly(logA^) at the 

expense of only slightly greater time and queries [lU]. Regev's approach 
also shows a connection to the average case subset sum problem. 

In trying to solve the DHSP, it is convenient to focus on a simplified ver- 
sion that is in fact equivalent in difficulty to the full problem. Specifically, 
we will focus on the case in which the subgroup Tl has order two. In gen- 
eral, there are two types of subgroups of Vjy, cyclic subgroups and dihedral 
subgroups. The cyclic subgroups consist only of rotations; they are of the 
form 

(5) C^/j ■= {e,s^,...,s'^}, 

where j G Zjy is a divisor of N. Note that Ci is simply the trivial subgroup. 
The dihedral subgroups consist of rotations and reflections, and are of the 
form 

(6) ■= {e, s^,..., s-^rs'', rs^^", r^-^+'^j , 

where j € Zjy is a divisor of N and d G Zjy. Note that T>]^^ci = T^N for any d. 
Furthermore, note that Pi^d = {e, rs'^} is an order two subgroup for any d. 
The cyclic subgroups Cj^jj are all normal iwVn (that is, ghg~^ £ ^N/j ^^i 
all h G Cn/j 9 ^ T^n) while none of the dihedral subgroups are normal 
except for the full dihedral group, V^. 

Ettinger and H0yer have shown that an efficient quantum algorithm for 
the DHSP exists if one can solve the DHSP with the promise that the hidden 
subgroup is either the trivial subgroup, Ci = {e}, or is some subgroup of 
order two, 2?!,^ = {e, rs*^} for some (unknown) d G Ijn We will further 
restrict the problem by determining the optimal measurement only for the 
order two subgroups. In fact, it will turn out that when this restricted 
measurement succeeds with high probability, it also identifies the trivial 
subgroup with high probability, and therefore can be used to solve the DHSP 
in general. 

We will represent a dihedral group element r*s^ using two quantum reg- 
isters, \t,k), where the first register is a single qubit and the second register 
consists of [logA^] qubits. When the subgroup is an order two subgroup 
Vi^d, then the standard approach produces the random coset state 

(7) \4>k4) = ^i\0,k) + \l,-k + d)) 

where k is uniformly sampled from Zjy and addition is done in Z^v, i.e., 
modulo N. In other words, the hidden subgroup state corresponding to the 
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subgroup Ti = Vi^cL is 

(8) Pd^j:^^ \^k,d){^k,d\ ■ 

It will be convenient to change the basis by Fourier transforming the second 
register (over Zjv) conditional on the first register being |1) and inverse 
Fourier transforming the second register conditional on the first register 
being |0). In this new basis, the hidden subgroup state is 

(9) P'^^T^ 12 \^=o,d){4>x,d\ 
where 



N 



(10) \4>.,a) := + cv^'mx) 

with uj := exp(27ri/N). When the subgroup is the trivial group, the standard 
approach produces a random state \t,x) with t uniformly sampled from Z2 
and X uniformly sampled from Z^r- Thus the hidden subgroup state when 
the hidden subgroup is 7^ = Ci is simply the maximally mixed state 

(11) P{e} = ^ = ^ 



where I2N is the 2A^-dimensional identity matrix. 

Our goal is to determine d given k copies of the state p^- It will be helpful 
to write the state in a way that begins to reveal the connection to the subset 
sum problem. Note that we can write 

(12) Pd = ^Il E 
Therefore 

(13) pT = 7^1: E ^^^'-''^■^^%^){c,x\ 

(14) =7^E ^'^'~'^vm\s;^^)isi,x\ 

x&% p,q&N 

where l^^) is the (normalized) uniform superposition over subsets of x G Z^ 
that sum to r G Zjv, 

(15) K) - -L E 1^) 

with := {b £ Z2 ■ b ■ X = r} denoting the set of bit strings corresponding 
to subsets of X that sum to r, and r]^ := \Sr\ denoting the number of 
such subsets. If rj^ = 0, then no such state can be defined, and we use 
the convention IS"^) = 0. When the subgroup is trivial, k copies of the 
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hidden subgroup state are simply k copies of the maximally mixed state, 

4. The optimal measurement 

In this section, we present the optimal measurement for distinguishing the 
hidden subgroup states p^''. The measurement will have N outcomes, one 
for each possible value of d, and will be optimal in the sense that the prob- 
ability of obtaining the correct outcome will be as large as possible. Recall 
that a general quantum measurement, a positive operator-valued measure 
(POVM), is specified by a set of positive operators {Ej}, Ej > 0, that sum 
to the identity, i.e., Ej = I. Given a density matrix p, the probability 
of obtaining the outcome j is tr Ej p. 

Ip was the first to consider optimal measurements for hidden subgroup 
problems ^SO^. In particular, he found the optimal measurement for the 
abelian hidden subgroup problem when the hidden subgroups are all given 
with equal a priori probabilities, thereby showing that the methods devel- 
oped to solve the factoring problem are optimal. Ip also derived the optimal 
measurement for the dihedral hidden subgroup problem given a single copy 
of the hidden subgroup state. As we shall see, this measurement fails to 
efficiently identify the order two subgroups. Since we know that there exists 
a measurement for solving the DHSP using O(logA^) copies of the hidden 
subgroup states, it is of interest to understand the optimal measurement 
given k ^ 1 copies. 

The optimal measurement turns out to be the pretty good measurement 
(PGM) (also known as the square root measurement or least squares 
measurement) [TT| . 

To prove that the PGM is optimal, we will use the following theorem: 

Theorem 1 (Holevo 26 , Yuen-Kennedy-Lax |1H])- Given an ensemble of 
quantum states pi with a priori probabilities pi, the measurement with POVM 
elements Ej maximizes the probability of successfully identifying the state if 
and only if 

(16) y^^piPiEj = y^^piEiPi 

i i 

(17) and '^piPiEi > pjPj Mj. 

i 

This condition follows most easily from noting that the maximization prob- 
lem is a semidefinite program |in ( l3n | H8] . While Theorem Q provides nec- 
essary and sufficient conditions for a measurement to be optimal, it is non- 
trivial in general to construct measurements that satisfy these conditions. 

Given p^^ with equal a priori probabilities for each d £ 7j]\f, we wish to 
find the measurements {Ej}j^zN that maximize the probabilities of correctly 
identifying these states, where we identify the measurement outcome j with 
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our guess for the hidden subgroup label d. The PGM is given by 

(18) E, = G-^'^pfG-^'^ 

where the inverse is taken over the support of G, and where 

(19) G:=Y, pf 

(20) =7^E E E-^'^'"^^v^i^P'-)(^^-i 

x€Z%p,q&^N j&^N 

(21) =7^ E Y.'^r\S^^x){S:,x\. 

Inserting H14|) and (|21|) into H18() , we find that the pretty good measurement 
for the dihedral hidden subgroup states has the measurement operators 

(22) ^i = ^E E ^'^'"'^i^P'^)(^^^i- 



That this measurement is optimal can be seen by substitution into ()16() 
and (dZl). We have 

(23) E p^^^ = E E ^AiWl^p^->('5p^-l = E ^^p^ 



which verifies H16() . Now pj is block diagonal with rank one blocks: pj = 
where 

(24) I^J)=(^E-^''v^l^p)- 
For any j ^'Li\] and for any block x G Z^, we find 

(25) ^p,ii;,|pj,:c) = -l^ ^ 

(26) >7^ E^P = (^JI/'J)' 

which verifies ()17p. 

Notice that since G is not supported on the entire (2A^)'^-dimensional 
space, the operators {Ej}j^^j^ do not form a complete partition of the iden- 
tity. (The dimension of the support of G, rankG = |{(rE,p) : x E Z^,p G 
Zjv,ryp > 0}|, is given by Sloane's integer sequence A098966 |17j.) To com- 
plete the measurement we can add an additional measurement operator, 
i?|e} ■= I — X^jeZiv associate this measurement outcome with the 

trivial subgroup. We emphasize that the measurement is only optimized for 
determining the order two subgroups. However, we will see that the optimal 
measurement with the additional measurement operator -E{e} also efficiently 
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identifies the trivial subgroup. Of course, the optimal measurement for the 
full dihedral group is never any better than the optimal measurement for 
distinguishing the order two subgroups. 

5. Success probability of the optimal measurement 

In this section we study the success probability of the optimal measure- 
ment for distinguishing the dihedral hidden subgroup states. Using the 
expressions (|14|) and (|22|) , a simple calculation shows that the probability of 
successfully identifying an order two subgroup is independent of the hidden 
shift d and is given by 



We now show that the success probability has a sharp threshold as a 
function of the density = A:/logA^. More precisely, we find 

Theorem 2. Ifu > l+j^^jv' ^^^'^ the probability of successfully determining 
the order two subgroup is at least 1/8. Furthermore, for any N and k, 
the probability of successfully determining the order two subgroup is less 
than (which in particular is exponentially small in logN for any fixed 

V < I). 

We will need the following lemma to prove the first statement of the 
theorem. 

Lemma 3 (Cf. proof of Lemma 4.1 of 41 ). For fixed r £ Zj^f and uniformly 
random x G Z^,, 



With this fact in hand, we can establish our main result. 

Proof of Theorem For the lower bound on the success probability, we have 



(27) 




(28) 




(29) 




by Cauchy's inequality applied to (|27j) . Now by Lemma El 



(30) 




(31) 
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for any r, which imphes 

iV / /2^ - 1 r~8iV 
(32) P>1^ 



(35) > 



2''\\ 2N V2'=-l 

1 

8 

where we have assumed k > log + 4 (and also, in particular, we have used 
k > 3). 

For the upper bound on the success probability, we have 

(36) P^^4mE (E^r^' 

P^' = N 

where in the first line we have used the fact that the r/'s are all integers to 
remove the square root in ()27() . and in the second line we have used the fact 
that X^reZjv ~ ™y ^- This completes the proof. □ 

We claimed earlier that when the measurement identifies the order two 
subgroups with reasonable probability, it will also identify the trivial sub- 
group. This follows from a simple calculation: supposing > 1 + ^^^^y , 

(38) p|,}:=tri?|,|pf^^^ 

rank G 

(39 = 1 - -, TTT 

N 

(40) >1-^ 

(41) >i5. 

^ ' - 16 

6. Bounds by information-theoretic arguments 

The proof of the above threshold theorem used specific properties of the 
dihedral hidden subgroup problem. It is reasonable to ask if this is necessary, 
or if one could instead obtain the same bounds using the powerful techniques 
of quantum information theory. This appears not to be the case. Here we 
derive the information-theoretic lower bound bound v = A;/ log N > p, which 
is weaker than the u > 1 bound of Theorem |2l for probabilistic, non-exact 
algorithms. 

Given k copies of the hidden subgroup state pd, we want to determine the 
outcome d with success probability at least p. Viewed in a data transmission 
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setting, we can imagine a sender encoding logA^ bits of information (the 
value d G Ztv) in the quantum state , after which a receiver decodes the 
logA'^ bits by solving the DHSP using the k copies of pd- The number of 
copies k required for this approach to work can be analyzed with the tools 
of quantum information theory, thereby giving a lower bound on k. Because 
the amount of information received depends on the success probability p, 
the lower bound on k will also depend on p. Roughly speaking, the amount 
of information that can be transmitted with k copies is upper bounded by k 
bits, while the received amount of information is lower bounded by plogN , 
leading to the lower bound k > p log N. The details follows. 

Given N, we define a source that draws from the uniform ensemble 
{(1/A^, /of'*^)}deZjv where each d occurs with equal probability Holevo's 
X quantity, defined by 

(42) x{S,):=s{^^pr)-^Y.SipT) 

d d 

where S{-) denotes the Von Neumann entropy of a mixed quantum state 
j39j . gives an upper bound on the accessible information of the ensemble. 
The state pd is defined in a 2A^-dimensional Hilbert space, and its spectrum 
consists of the eigenvalues and 0, each with multiplicity N, while the 
spectrum of the mixture jj'^dPd consists of the eigenvalues and 0, 
each with multiplicity 1, and the eigenvalue 1/2N with multiplicity 2N — 2. 
Hence, for the k = 1 case, we have xi'Si) = 1 — For general k, we have 
S{p^'') = klogN since the entropy is additive under tensor products. For 
the mixture P^^ Tioie that the reduced density matrices of each copy 
are equal to ^ pd- Hence, by subadditivity of the Von Neumann entropy, 
the entropy of this mixture is bounded from above by k S{jj Yld Pd)- Overall, 
this implies an upper bound of k{l — on the accessible information of 

Sk- 

Now, on the receiver's end, if the message can be decoded without error, 
then Sk has a capacity of log N bits per message. However, we should take 
into account that we are satisfied with a constant success probability p, 
which can be smaller than 1. In this more general case, the information 
transmitted by the source will be bounded from below by Ip > logA^ — 
H{p, j^^, . . . , j^^), where H{-) is the Shannon entropy of a probability 
distribution. Since xi^k) > Ip: we find 

(43) .(l-i)>,„gA.-i^(p,i^,...,l^) 

(44) = log iV - (1 - p) \og{N - 1) - H{p, l-p). 

For constant p and large N , this converges to the lower bound k > p\og{N — 
1) — H{p, 1 — p), which is significantly weaker than the bound k > log 
from our earlier Theorem [21 
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7. Determining the least significant bit 



Although the determination of the entire shift d requires at least log 
copies of the hidden subgroup state, one might hope to acquire partial infor- 
mation about the shift using fewer copies. For example, suppose one could 
determine the least significant bit of the shift using only a single hidden 
subgroup state. An iterative determination of the entire shift using such 
a measurement as a subroutine would still require logA^ hidden subgroup 
states, but the basic measurement for determining a single bit would be 
much simpler. However, here we rule out such a possibility: the optimal 
measurement for determining even just a single bit of the shift still requires 
log A^ hidden subgroup states. More precisely, we prove the following: 

Theorem 4. With k = v log A^ copies of the dihedral hidden subgroup state 
Pd, the probability of successfully identifying the least significant bit of d is 
exponentially close to ^ for any fixed u < 1. 

Note that since there is a measurement to determine the entire shift with 
constant probability for any fixed u > 1, in particular there is a measurement 
to determine the least significant bit with probability bounded away from 
1/2 in this regime. Thus Theorem 0] shows that the threshold for success 
remains essentially the same, at ~ 1, for the problem of determining just 
the least significant bit. 

To establish this result, we proceed as before: we first identify the opti- 
mal measurement, then derive an expression for its success probability, and 
finally place bounds on this expression. Our goal is to determine the least 
significant bit of d, i.e., whether d is even or odd. In other words, we would 
like to distinguish the two density matrices 



Since p+ + p-^ = j^G (with G given in (|2T1) ). the PGM for these states has 
the two POVM operators 



(45) 




Pd 



d even, odd 



(47) 



(46) 




d even, odd 



Now for simplicity, we assume A^ is even. The identity 



(48) 




p = ±q 
otherwise 
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can then be used to simplify these expressions, and we obtain 

(49) p± = E {Vr\S^r,^){S^r,A ± ^J^r\Sf , x) {S% , x\) 



(50) E^ = \Y1 E {\Sf,x){Sf,x\±\Sf,x){S-_ 



2 



We claim that this PGM is the optimal measurement for determining 
the least significant bit of the shift. To see this, check the conditions of 
Theorem n We have 

(51) Pi^i = P+^++P-^- 

(52) =7^ E E {vr + ^/^^\S'^.x){S■ 



x\ 



since the cross terms cancel. A similar calculation verifies (|16() . Then 



(53) E/'*^'~'°± = 7^^E J2V'lri-r{\Sr,x){S^,x\^\S^,x){S%,x\), 

which is clearly a positive matrix, verifying ()17() . 

The success probability of this optimal measurement is independent of 
whether d is even or odd, and is given by 

(54) p:=tTE+p+ 

=^7^E E(^^" + vW;)tr(|5,^x)(S?,x| + |5Jf,:r)(5^„x|) 



where we have used the fact that '}2x&'L'' Ylr&pf Vr — (2A^)^. 

With these expressions in hand, we are ready to prove Theorem 01 

Proof. We bound the expression for the success probability of the op- 
timal measurement. First consider the cases r = 0, N/2. For r = we 
have 



(^^) T^Tmk E 



_ 1) + 7V^ 



7fc 
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and for r = N/2 we have 

1 X _ N^-\2^ - 1) 



(60) <1. 

In fact, the latter expression holds for any r ^ 0, since for any non-empty 
subset of numbers, specifying all but one of those numbers leaves exactly one 
possible subset summing to r. The additional A^'^ term for r = comes from 
the contribution of the empty set for each of the A^'^ possible assignments 
of the x's. 

For the remaining terms, we have 

(61) 7^ E EvW;<7^ E E«^ 



(62) 



(N -2){2'' - 1)(2'= -2)N 



fc-2 



(2A^)* 



2 



fc 



(03) <-. 

In the first line we have used the fact that the r/'s are integers to remove the 
square root. In the second line we consider fixing one of the N—2 values of r, 
and consider a non-empty subset S (of which there are 2^^ — 1) and a distinct 
non-empty subset T (of which there are 2^^ — 2) . If we consider two elements 
i,j such that either i £ S — T and jGT^oriGT— S and j £ S (such a 
choice is always possible because S and T are non-empty and distinct), then 
for any values of the remaining k — 2 elements, there is exactly one choice 
for elements i and j such that the elements in S sum to r and the elements 
in T sum to -r. Thus the sum is exactly {N - 2) (2*= - 1)(2'' - 2)N''-^. 
Using these expressions in (|56|) . we find 

1 / 2^= 6 3 

Thus we see that with k = u log N ^ the success probability is exponentially 
close to 1/2 for any fixed u < 1. □ 

8. Relation to the subset sum problem 

Given that the optimal measurement solves the DHSP if (and only if) 
v > 1, we would like to understand whether this measurement can be im- 
plemented efficiently. In this section we consider how to implement the 
measurement by a quantum circuit, and we find that its implementation is 
closely related to the subset sum problem. 

Recall the definition of the subset sum problem: given x G and t G Z^v, 
find a subset 6 G Z2 such that b ■ x = t. If such a b exists, we call {x, t) a 
legal instance. In the decision version of the subset sum problem, we wish 
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to determine only whether a given instance is legal or not. This problem is 
NP-complete. We might also want to return one or more of the subsets b 
in the case where the instance is legal. Regev has shown that if there exists 
an efficient algorithm for finding one such subset for a large fraction of the 
legal instances, then one could solve the dihedral hidden subgroup problem 
efficiently |41j . More precisely, 

Theorem 5 (Regev |41|). If there exists an efficient algorithm that finds a 
subset b such that b-x = t for a fraction l/poly(log A^) of the legal subset sum 
instances {x,t) when k > log A'" + 4, then there exists an efficient quantum 
algorithm for the dihedral hidden subgroup problem. 

Here we show a similar result for the implementation of the optimal mea- 
surement for the dihedral hidden subgroup states. Namely, if one can effi- 
ciently quantum sample from subset sum solutions at density = k/logN, 
then one can efficiently implement the optimal measurement for the DHSP 
with k copies. We also show a weak converse to this result: if one can effi- 
ciently implement the optimal measurement by a quantum circuit (under a 
certain restriction), then one can in turn solve the average case subset sum 
problem of corresponding density (and indeed, can quantum sample from 
subset sum solutions). 

Recall from ()2'2() that the POVM operators for the DHSP can be expressed 

as 

(65) ^^■ = ^E E 

(66) = ^ \x){x\ 
where 

(67) i?J:=l E -^'^''-'\S;){SI\. 

p,q&N 

In other words, each Ej is block diagonal, with blocks labeled by some 
X G Z^. Because each Ej has high rank, there is considerable freedom in 
how one implements the measurement by a quantum circuit. However, from 
a representation-theoretic perspective (see the Appendix), it is natural to 
perform this measurement in a particular way, first measuring the label x 
and then performing the POVM {Ej}j^zM conditioned on that label. Note 
that each E^ is rank one, so that the POVM {Ej}j^iM for fixed x G 
is refined into one-dimensional subspaces, removing much of the freedom in 
the implementation of the original POVM {Ej}. 

For any given x G Z^, we consider the implementation of the POVM 
{Ej}j^ZN by an x-dependent quantum circuit followed by a measurement 
in the computational basis to give the outcome j. In general, this circuit 
and measurement will act on a larger Hilbert space than is required to 
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hold the original input. The quantum circuit will then correspond to some 
unitary operation on the larger space. Without loss of generality, we can 
assume that the final measurement is in a basis such that the values 

j £ {0, 1, . . . , — 1} indicate the measurement outcome Ej. According to 
Neumark's theorem, the unitary operator U has the block form 

/yx j^x 

(68) = 
where 

(69) ^^'■=iw ^ -^-''\3){S' 



X I 



is a fixed (A^ x 2'^)-dimensional matrix whose columns are the (subnormal- 
ized) vectors corresponding to the rank one POVM elements {E^}, and 
A^,B^,C^ are arbitrary up to the requirement that is unitary. It is 
convenient to perform a Fourier transform on the left, i.e., on the index j 
(over Ztv, for the relevant values j G {0, 1, . . . , — 1}), giving a unitary 
operator 



't/X AX 

(70) U"" =[ ~ 

\ J \ jtjX QX 



with 

(71) ^'^=^ E ^'^''-'^p){sl\ 

(72) =Y,\v){s;\. 

Clearly, can be implemented equivalently if and only if can be im- 
plemented efficiently. Therefore, if we have an efficient quantum circuit for 
the transformation 



(73) \p,x) 



where \ipp) is any state allowed by the unitarity of (i-e., if we can effi- 
ciently quantum sample from subset sum solutions for legal inputs), then by 
running this circuit in reverse, we can efficiently implement U^, and hence 
the measurement. 

Conversely, given the ability to implement the optimal POVM by the 
measurement of x followed by an efficient implementation of U^, we can 
solve the subset sum problem. By running the quantum circuit for in 
the reverse direction, we can efficiently implement the transformation (|73|) . 
Suppose we are trying to solve the subset sum problem for a legal instance 
{x,t). Using we can produce the state \Sf), which upon measurement 
gives a uniformly random subset of x summing to t. On the other hand, if 
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the instance is not legal, then we can easily check that the output does not 
correspond to a subset of x summing to t. 

If we could efficiently implement the unitary operation for any k = 
poly (log A'^), then we could solve the subset sum problem efficiently even 
in the worst case. Since the subset sum decision problem is NP-complete, 
such an implementation seems unlikely. However, for the purpose of solving 
the DHSP, it is sufficient to consider fixed k (as a function of A^, with 
ly = k/logN > 1 according to Theorem |2) and implement the measurement 
approximately. In this case, an implementation of the measurement only 
implies a solution to the average case subset sum problem at density i^, which 
may be considerably easier. Conversely, to implement the measurement 
at density z/, it is sufficient to approximately quantum sample subset sum 
solutions at that density. 

The critical density ~ 1 for the success of the optimal measurement 
coincides with the critical density above which almost all subset sum in- 
stances are legal and below which almost all subsets have a distinct sum. 
No efficient algorithms are known for the subset sum problem at this crit- 
ical density. But for sufficiently low or high density, the problem becomes 
tractable. For densities v < 0.941, there is an efficient algorithm assuming 
the ability to find short vectors in lattices [HIEIEIISSI- Unfortunately, this 
lattice problem seems to be difficult. However, using known basis reduction 
algorithms, this approach can be used to efficiently solve subset sum prob- 
lems with no computational assumptions for very low density, k < C\/\og N 
for some constant c pTHlO^] . 

Since we require v > 1 for a solution to the DHSP, the high density 
regime is more interesting for our purposes. Until recently, the best known 
result was a poly(/c)-time algorithm for the case k > cN for some constant 
c jOlE]. These results are not helpful since they yield algorithms whose 
running times are exponential in log A^. However, Flaxman and Pryzdatek 
recently showed how to produce subset sum solutions in poly(/c) time with 
k = 2'^(^^^°s |16j . Their result, together with Regev's connection to the 
subset sum problem (Theorem gives an alternative subexponential time 
quantum algorithm for the DHSP with the same performance as Kuperberg's 
algorithm. However, it is not immediately clear whether their algorithm 
can be used to quantum sample (or even to randomly sample) from subset 
sum solutions, so it does not immediately provide an implementation of the 
optimal measurement. 

It is not inconceivable that one could find a quantum algorithm (or even 
a classical one) for the subset sum problem at still lower density, and thus 
find an improved algorithm for the DHSP. Furthermore, we remark that 
our restriction of first measuring x and then implementing the appropriate 
measurement conditional on x, while natural from a representation-theoretic 
viewpoint, is not necessarily the best way to implement the optimal measure- 
ment. A direct implementation of the measurement without first measuring 
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X could in principle produce a quantum algorithm for the DHSP without 
solving the subset sum problem. 



9. Discussion 

In this paper we have studied the optimal measurement for distinguish- 
ing dihedral hidden subgroup states for order two subgroups. Using a result 
of Holevo and Yuen, Kennedy, and Lax, we proved that the pretty good 
measurement is optimal for this problem. We showed that the success prob- 
ability of this measurement has a threshold around the critical density ~ 1, 
and in particular, that l^(log A^) hidden subgroup states are necessary for 
the measurement to succeed with more than an exponentially small suc- 
cess probability. We also demonstrated that the problem of determining 
just the least significant bit of the answer is essentially no easier than the 
full problem. Finally, we considered the implementation of the measure- 
ment by a quantum circuit and found that it is closely related to the subset 
sum problem. We considered the special (but well-motivated) case in which 
the measurement first determines the block x, and then performs the opti- 
mal POVM within that block. For a given number of copies of the hidden 
subgroup state, we showed that this measurement can be implemented effi- 
ciently if and only if one can quantum sample from subset sum solutions at 
the corresponding density. 

Many open questions remain. First, given Kuperberg's sub exponential 
time algorithm for the DHSP using copies of the hidden sub- 

group state, as well as the Flaxman-Pryzdatek algorithm for finding a subset 
sum solution at the corresponding density, it seems promising to look for 
an implementation of the optimal measurement by quantum sampling from 
subset sum solutions at this density. As an intermediate step, it would be 
interesting simply to find an algorithm for producing a subset sum solution 
uniformly at random. 

Of course, implementing the optimal measurement at the Kuperberg den- 
sity would not yield an improvement over previous algorithms, so it would 
be more interesting to find an implementation of the optimal measurement 
at still lower density. If one pursues the natural strategy of first measuring 
the block x, then our results show that this approach is at least as hard 
as solving the subset sum problem, in which case one could simply apply 
Regev's Theorem El However, as discussed above, one could consider imple- 
menting the optimal measurement without first measuring x, which might 
give an improved algorithm for the DHSP without yielding an algorithm for 
subset sum. 

Finally, it would interesting to consider optimal measurements for other 
non-abelian hidden subgroup problems. Can such measurements be imple- 
mented efficiently in any of the cases where efficient algorithms are already 
known? Or more ambitiously, can any new quantum speedups be found in 
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this way? Presumably the subset sum problem has some analog for other 
groups, and such a problem might be interesting in its own right. 
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Appendix: Representation theory and the optimal measurement 

Many features of the hidden subgroup problem can be understood us- 
ing simple group representation-theoretic arguments. Here we present such 
arguments and demonstrate their application to the DHSP. 

Two important representations of a group Q for the HSP over that group 
are the left and right regular representations of Q. These representations 
act on a Hilbert space spanned by vectors {\g)}geg as 

(74) DL{gi)\g2) = \g192) ^R(<?i)b2) = |525r^) • 

Viewed as representations of the group algebra, these two representations 
are commutants of each other, i.e., Di{gi)Dji{g2) = Dji{g2)DL{gi). The 
hidden subgroup states pn defined in Q commute with the left regular rep- 
resentation: Di[g)p-}-i = p'}-iDL{g) for all g £ G- Hence, via Schur's lemma 
and the fact that the left and right regular representations are commutants, 
it is easy to show that a general hidden subgroup state can be expressed as 

(75) = E • 

' ' hen 

The regular representations are reducible. Let Q he a set of labels for a 
complete set of irreducible representations of G, and for any x S G, let Tx{g) 
be the xth irreducible representation (irrep) matrix for the group element 
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g £ Q- Let dx denote the dimension of the xth irrep. Then there exists 
a basis of the Hilbert space {\g)}g<^g-, labeled by m) with x ^ Q and 
£,m€z Zrf^, such that Dl and Dpi act as 

(76) DLig) = Txig) Dnig) = /d. ® T^ig) 

where is the d-dimensional identity matrix. The unitary transforma- 
tion that transforms between the bases {\g)}geg and {\x,£,m)}^^g ^ ^^^^^^ 
is nothing but the Fourier transform over Q, 

(77) Qe:=^EE E V4[r.(5)k ,171 

\x,i,m){g\ . 

V 1^1 aeg x(^g e,meZa^ 

Here [Tx{g)]e,m is the matrix element in the ^th row and mth column of the 
xth irrep at the group element g. 

If we perform the quantum Fourier transform over Q on the state p-^, we 
find in the new basis 



(78) PH 1^ 

■ xeg 

(79) =y2pix)^®PH,x<S)\x){x\, 

^ dx 

xeg 

a classical mixture over the irrep label x €z Q with probabilities 

(80) p{x) := ^ E 

' ' hen 

(where Xx '■= ^^^x denotes the character of the xth irrep) of a maximally 
mixed row state Id^/dx and the column state 

(81) Pn,x:= ^ ^m Er^'W- 

Since the row state is maximally mixed, it is clear that one learns nothing by 
measuring the row index Thus, it is natural to work in this basis and 
to discard the row state, focusing on the column state P'H,x- This procedure 
corresponds exactly to the particular form of the optimal POVM considered 
in Section |HJ 

To see this correspondence in detail for the DHSP, consider the irreducible 
representations of the dihedral group jl3]. These irreps are all either one- or 
two-dimensional. The two-dimensional irreps may be conveniently labeled 
by an integer \ < x < — 1, and are given by 

(82) Tx{s') = Jxk) and Txirs') = (l, "^'^^ 
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where uj := exp(27ri/A^). Notice that the irreps satisfy T^xig) = XTx{g)X 
where X is the Pauh matrix 



When N is odd, there are two one-dimensional irreps, the trivial irrep 



When is even, there are two additional one-dimensional irreps, the even 
irrep 



Now consider the approach to the DHSP of first performing a quantum 
Fourier transform over Q = and then measuring the irrep index. If the 
result obtained corresponds to a two-dimensional irrep, then we can measure 
the row index and will randomly obtain one of two outcomes. We associate 
one of these outcomes with the irrep label x and the other with the irrep 
label —X, performing the X operation on the column in the latter case. 
Furthermore, we group the trivial irrep and the alternating irrep together 
into a two-dimensional space, and similarly for the even and odd irreps. 
Labeling these two spaces and N/2, respectively, it is now easy to see 
that this procedure is equivalent to the measurement procedure outlined 
in Section |S1 where the irrep label x corresponds to the measurement of 
X G Ztv- 
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